The Internet Protocol (“IP”) is an addressing protocol designed to facilitate the routing of traffic within a network or between networks. The IP is used on many computer networks including the Internet, intranets and other networks. Current versions of IP such as Internet Protocol version-4 (“IPv4”) are becoming obsolete because of limited address space. With a 32-bit address-field, it is possible to assign 232 different addresses, which is 4,294,967,296, or greater than 4 billion globally unique addresses.
However, with the explosive growth of the Internet and intranets, IP addresses using a 32-bit address-field may soon be exhausted. Internet Protocol version-6 (“IPv6”) proposes the use of a 128-bit address-field for IP addresses. However, a large number of legacy networks including a large number of Internet subnets will still be using older versions for IP with a 32-bit address space for many years to come.
Network Address Translation (“NAT”) has been proposed to extend the lifetime of Internet Protocol version 4 and earlier versions of Internet Protocol by allowing subnets to exist behind a single or small number of globally unique IP addresses (see e.g., “The IP Network Address Translator”, by P. Srisuresh and K. Egevang, Internet Engineering Task Force (“IETF”), Internet Draft<draft-rfced-info-srisuresh-05.txt>, February 1998). A single global IP address is used for communication with external networks such as the Internet. Internally, a sub-network (“subnet”) uses local addressing. Local addressing may be either any addressing scheme that is different from IP addressing, or a non-unique usage of IP addresses. In either case, local addresses on a subnet are not used on the external, global Internet. When a device or node using local addressing desires to communicate with the external world, its local address is translated to a common external IP address used for communication with an external network by a NAT device. That is, NAT allows one or more global IP addresses to be shared among a larger number of local addresses.
There are several problems associated with using NAT to extend the life of the IP. NAT interferes with the end-to-end routing principal of the Internet that recommends that packets flow end-to-end between network devices without changing the contents of any packet along a transmission route (see e.g., “Routing in the Internet,” by C. Huitema, Prentice Hall, 1995, ISBN 0-131-321-927).
Current versions of NAT replace a local network address in a data packet header with an external global network address on outbound traffic, and replace an external network address in a data packet header with a local network address on inbound traffic. This type of address translation is computationally expensive, causes security problems by preventing certain types of encryption from being used, or breaks a number of existing applications in a network that cannot provide NAT (e.g., File Transfer Protocol (“FTP”)).
Current versions of NAT may not gracefully scale beyond a small subnet containing a few dozen nodes or devices because of the computational and other resources required. NAT potentially requires support for many different internal network protocols be specifically programmed into a translation mechanism for external protocols in a NAT device such as a NAT router.
Computational burdens placed on a NAT router may be significant and degrade network performance, especially if several NAT-enabled sub-networks share the same NAT router. In a worst case scenario, a NAT router translates every inbound and outbound data packet. When NAT is used to translate a TCP/IP or UDP/IP data packet, the packet's IP, TCP or UDP checksums are recalculated.
As is known in the art, TCP (“TCP”) and UDP are often used over IP in computer networks. TCP provides a connection-oriented, end-to-end reliable protocol designed to fit into a layered hierarchy of protocols that support multi-network applications. UDP provides a transaction oriented datagram protocol, where delivery and duplicate packet protection are not guaranteed.
When a port in a TCP or UDP header is translated, the packet's TCP or UDP checksums are also recalculated. This further increases the computational cost of translation in a NAT router.
When an IP address or port is translated with NAT, a new length may result for the data packet and a possible change in a TCP sequence number. A running sequence number offset (i.e., a delta) must then be maintained throughout the remainder of the connection. This delta must be applied to future traffic, including acknowledgment numbers further increasing computational time in a NAT router.
In addition to TCP or UDP, a NAT router may also translate network addresses, ports, change lengths and maintain sequence numbers for a number of different protocols that may use an IP address or port number (e.g., FTP, H.323, H.324, CUSeeME, RealAudio, Internet Relay Chat and others). This translation may further increase computational time in a NAT router.
The IP is used on global computer networks such as the Internet, and on many private networks such as intranets and Virtual Private Networks. It is often desirable to protect information sent with the IP using different types of security. Using security with the IP allows private or sensitive information to be sent over a public network with some degree of confidence that the private or sensitive information will not be intercepted, examined or altered.
IPSEC is a protocol for implementing security for communications on networks using the IP through the use of cryptographic key management procedures and protocols. Communications between two endpoints of an IP traffic flow are made end-to-end-secure by the IPSEC protocol on an individual IP packet-to-packet basis. IPSEC protocol entities at connection endpoints have access to, and participate in, critical and sensitive operations that make a common connection secure.
IPSEC currently includes two security services, each having an associated header that is added to an IP packet that is being protected. The two security services include an Authentication Header (“AH”) and an Encapsulating Security Payload (“ESP”) header. The Authentication Header provides authentication and integrity protection for an IP packet. The Encapsulating Security Payload header provides encryption protection and authentication for an IP packet.
The IPSEC protocol headers are identified in a protocol field of an IP data packet header. The IPSEC protocol header specifies the type (e.g., Authentication Header or Encapsulating Security Payload) and contains a numerical value called the Security Parameter Index (“SPI”). The Security Parameter Index together with a destination IP address and Internet Security protocol form a unique identifier used by a receiving system to associate a data packet with a construct called a “security association.” The Security Parameter Index is used by the receiving system to help correctly process an IP packet (e.g., to decrypt it, or to verify its integrity and authenticity).
IPSEC establishes and uses a Security Association (“SA”) to identify a secure channel between two endpoints. A Security Association is a unidirectional session between two termination endpoints. Two termination endpoints of a single Security Association define a logical session that is protected by IPSEC services. One endpoint sends IP packets, and a second endpoint receives the IP packets. Since a Security Association is unidirectional, a minimum of two Security Associations is required for secure, bi-directional communications. It is also possible to configure multiple layers of IPSEC protocols between two endpoints by combining multiple Security Associations.
There are several problems associated with using current versions of NAT when security is required and the IPSEC protocol is used. Current versions of NAT violate certain specific principles of the IPSEC protocol that allow establishment and maintenance of secure end-to-end connections of an IP network.
A NAT router typically needs to modify an IP packet (e.g., network ports, etc.). However, once an IP packet is protected by IPSEC, it must not be modified anywhere along a path from an IPSEC source to an IPSEC destination. Most NAT routers violate IPSEC by modifying, or attempting to modify individual IP packets.
Even if a NAT router does not modify data packets it forwards, it must be able to read network port numbers (e.g., TCP, UDP, etc.) in the data packets. If certain IPSEC features are used (e.g., Encapsulated Security Payload (“ESP”)), the network port numbers are encrypted, so the NAT router typically will not be able to use the network ports for NAT mapping.
Local host network devices on a Local Area Network (“LAN”) that use NAT typically possess only local, non-unique IP addresses. The local non-unique IP addresses do not comprise a name space that is suitable for binding an encryption key (e.g., a public key) to a unique entity. Without this unique binding, it is not possible to provide necessary authentication for establishment of Security Associations. Without authentication, an endpoint of a connection cannot be certain of the identity of another endpoint, and thus cannot establish a secure and trusted connection.
Local host network devices on the LAN that use NAT may also be susceptible to denial of service attacks from external network devices that have not established SAs with the local host network devices. By the external network devices transmitting data packets using an SPI that belongs to the local host network devices, as well as an IP address that belongs to the NAT router and is shared with the local host network devices, these packets will be forwarded by the NAT router to the local host network devices. While the local host network devices may discard these packets upon receipt, the external network devices may transmit hundreds or thousands of packets in rapid succession, thereby swamping resources of the LAN, its local host network devices, and/or the NAT router. This swamping of resources is well-known in the art as a Denial of Service (DoS) attack. DoS attacks can cause disruptions, or even complete breakdowns, in communications among local host network devices, and between local host network devices and external network devices.
Thus, it desirable to provide a method for DNAT with IPSEC that can control and limit disruptions caused by DoS attacks. As with ordinary DNAT, this method should not increase the burden on a router or other network device that provides the address translation. In addition, this method should also allow IPSEC to be used with DNAT to provide secure communications between internal and external network devices.